CN114528592A - Service processing method, device, equipment, medium and program product - Google Patents

Service processing method, device, equipment, medium and program product Download PDF

Info

Publication number
CN114528592A
CN114528592A CN202210189665.6A CN202210189665A CN114528592A CN 114528592 A CN114528592 A CN 114528592A CN 202210189665 A CN202210189665 A CN 202210189665A CN 114528592 A CN114528592 A CN 114528592A
Authority
CN
China
Prior art keywords
user
white list
service
information
database
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210189665.6A
Other languages
Chinese (zh)
Inventor
胡康康
李承文
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Construction Bank Corp
Original Assignee
China Construction Bank Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Construction Bank Corp filed Critical China Construction Bank Corp
Priority to CN202210189665.6A priority Critical patent/CN114528592A/en
Publication of CN114528592A publication Critical patent/CN114528592A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/23Updating
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/27Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Abstract

The disclosure provides a service processing method, which can be applied to the technical field of big data. The service processing method comprises the following steps: after obtaining the authorization of the user to acquire the identity information, responding to a service request initiated by the user, and reading first white list information of a primary database, wherein the service request comprises a user identifier of the user; under the condition that the reading of the first white list information is determined to be abnormal, reading second white list information of the secondary database; analyzing the second white list information according to the user identification to obtain authority information between the user and the plurality of service components which is represented in a binary system form; and routing the service request to the plurality of service components according to the permission information to process the service request. The disclosure also provides a service processing apparatus, a device, a storage medium and a program product.

Description

Service processing method, device, equipment, medium and program product
Technical Field
The present disclosure relates to the field of big data, specifically to the field of data processing and the field of information security in the big data field, and more specifically to a method, an apparatus, a device, a medium, and a program product for service processing.
Background
In information systems, the service processing request of a user is usually verified through a white list mechanism. Especially, after a new function is released or a new development technology is used in the system, or in a dual system mode of parallel operation, a white list mechanism is needed to control the user's access to a new function module or a new system to control the service processing.
However, once the white list executing mechanism is abnormal or the white list information is invalid, the stable access of the system is adversely affected. Therefore, high availability and high stability become important factors affecting normal business processing under the white list mechanism.
Disclosure of Invention
In view of the above, the present disclosure provides a service processing method, apparatus, device, medium, and program product with high availability and high extensibility.
According to a first aspect of the present disclosure, a service processing method is provided, including: after obtaining the authorization of a user for obtaining identity information, responding to a service request initiated by the user, and reading first white list information of a primary database, wherein the service request comprises a user identifier of the user; reading second white list information of a secondary database under the condition that the reading of the first white list information is determined to be abnormal; analyzing the second white list information according to the user identification to obtain authority information between the user and a plurality of service components represented in a binary form; and routing the service request to the plurality of service components according to the permission information to process the service request.
According to an embodiment of the present disclosure, the service request includes at least one service type; routing the service request to the plurality of service components to process the service request, comprising: acquiring at least one target service component corresponding to at least one service type in the plurality of service components; determining at least one access identifier corresponding to the at least one target service component in the authority information; and processing the service request through the at least one target service component according to the at least one access identifier.
According to an embodiment of the present disclosure, the routing the service request to the plurality of service components according to the authority information to process the service request further includes: acquiring a flow control identifier in the authority information; and intercepting the service request under the condition that the flow control identification is determined to indicate that the user is subjected to flow control.
According to an embodiment of the present disclosure, the method further comprises: adding white list information in the primary database and the secondary database; the adding white list information in the primary database and the secondary database comprises: acquiring newly added information and a user identifier corresponding to the newly added information; converting the newly added information into binary data, wherein the binary data comprises at least one bit of binary values respectively representing a flow control identifier and an access identifier of at least one service component; converting the binary data into decimal data, wherein the decimal data is authority information; and generating white list information according to the decimal data and the user identification.
According to an embodiment of the present disclosure, the adding white list information in the primary database and the secondary database further includes: calling a first interface of the primary database and a second interface of the secondary database, wherein the first interface and the second interface are the same; and adding the white list information to the primary database and the secondary database through the first interface and the second interface respectively.
According to an embodiment of the present disclosure, the method comprises: and modifying the flow control identification in the binary data under the condition that the white list information is determined to be successfully added to the primary database and the secondary database respectively, wherein the modified flow control identification indicates that the user is released from flow control.
According to the embodiment of the disclosure, the first-level database is a cache, and the second-level database is a distributed database.
A second aspect of the present disclosure provides a service processing apparatus, including: the reading module is used for responding to a service request initiated by a user after obtaining the authorization of obtaining the identity information by the user, and the first white list information of the primary database, wherein the service request comprises the user identification of the user; the determining module is used for reading second white list information of the secondary database under the condition that the reading of the first white list information is determined to be abnormal; the analysis module is used for analyzing the second white list information according to the user identification to obtain authority information between the user and the plurality of service components expressed in a binary system form; and the routing module is used for routing the service request to the plurality of service components according to the authority information so as to process the service request.
A third aspect of the present disclosure provides an electronic device, comprising: one or more processors; a memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the business processing method described above.
A fourth aspect of the present disclosure also provides a computer-readable storage medium having executable instructions stored thereon, which, when executed by a processor, cause the processor to perform the above-mentioned service processing method.
A fifth aspect of the present disclosure also provides a computer program product comprising a computer program which, when executed by a processor, implements the above-described service processing method.
The present disclosure provides a service processing method with high availability and scalability. By designing a two-level database consisting of two databases to store the white list information, the problem that one database is abnormal and the system cannot access the database is avoided, and the high availability of the service processing method is guaranteed. In addition, the two databases have good consistency and expandability by arranging corresponding key values and uniform interfaces in the two databases, and development, operation and maintenance costs are effectively reduced.
Drawings
The foregoing and other objects, features and advantages of the disclosure will be apparent from the following description of embodiments of the disclosure, which proceeds with reference to the accompanying drawings, in which:
FIG. 1 schematically illustrates a system architecture diagram of a business process method, apparatus, device, medium, and program product according to embodiments of the disclosure;
fig. 2 schematically shows an application scenario of a service processing method according to an embodiment of the present disclosure;
FIG. 3 schematically shows a flow chart of a traffic handling method according to an embodiment of the present disclosure;
FIG. 4 schematically illustrates a flow diagram for processing a service request according to rights information, according to an embodiment of the disclosure;
FIG. 5 schematically shows a flow diagram of a traffic handling method according to another embodiment of the present disclosure;
fig. 6 schematically shows a block diagram of a structure of a traffic processing apparatus according to an embodiment of the present disclosure; and
fig. 7 schematically shows a block diagram of an electronic device adapted to implement a traffic processing method according to an embodiment of the present disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is illustrative only and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.
Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B and C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
It should be noted that the business processing method and apparatus disclosed in the present disclosure may be used in the data processing field and the information security field in the financial field, and may also be used in any field other than the financial field.
In the technical scheme of the disclosure, the collection, storage, use, processing, transmission, provision, disclosure, application and other processing of the personal information of the related user are all in accordance with the regulations of related laws and regulations, necessary confidentiality measures are taken, and the customs of the public order is not violated. In the technical scheme of the disclosure, before the personal information of the user is acquired or collected, the authorization or the consent of the user is acquired.
The embodiment of the disclosure provides a service processing method, which includes reading first white list information of a primary database in response to a service request initiated by a user after obtaining authorization of identity information acquired by the user, wherein the service request includes a user identifier of the user; reading second white list information of a secondary database under the condition that the reading of the first white list information is determined to be abnormal; analyzing the second white list information according to the user identification to obtain authority information between the user and the plurality of service components expressed in a binary form; and routing the service request to the plurality of service components according to the permission information to process the service request.
Fig. 1 schematically shows a system architecture diagram of a business process method, apparatus, device, medium, and program product according to embodiments of the disclosure.
As shown in fig. 1, the system architecture 100 according to this embodiment may include terminal devices 101, 102, 103, a network 104 and a server 105. The network 104 serves as a medium for providing communication links between the terminal devices 101, 102, 103 and the server 105. Network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few.
The user may use the terminal devices 101, 102, 103 to interact with the server 105 via the network 104 to receive or send messages or the like. The terminal devices 101, 102, 103 may have installed thereon various communication client applications, such as shopping-like applications, web browser applications, search-like applications, instant messaging tools, mailbox clients, social platform software, etc. (by way of example only).
The terminal devices 101, 102, 103 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smart phones, tablet computers, laptop portable computers, desktop computers, and the like.
The server 105 may be a server providing various services, such as a background management server (for example only) providing support for websites browsed by users using the terminal devices 101, 102, 103. The background management server may analyze and perform other processing on the received data such as the user request, and feed back a processing result (e.g., a webpage, information, or data obtained or generated according to the user request) to the terminal device.
It should be noted that the service processing method provided by the embodiment of the present disclosure may be generally executed by the server 105. Accordingly, the service processing device provided by the embodiment of the present disclosure may be generally disposed in the server 105. The service processing method provided by the embodiment of the present disclosure may also be executed by a server or a server cluster that is different from the server 105 and is capable of communicating with the terminal devices 101, 102, 103 and/or the server 105. Correspondingly, the service processing apparatus provided by the embodiment of the present disclosure may also be disposed in a server or a server cluster different from the server 105 and capable of communicating with the terminal devices 101, 102, 103 and/or the server 105.
It should be understood that the number of terminal devices, networks, and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
Fig. 2 schematically shows an application scenario of a service processing method according to an embodiment of the present disclosure.
The business system includes two subsystems. The first subsystem and the second subsystem can be an original system and a new system respectively, and the original system and the new system can run on the same server dual-track or on different servers. The first subsystem and the second subsystem may also be an original service module and a new service module, respectively, and the original service module and the new service module may be located in the same system or in different systems. Compared with the original system and the original service module, the new system and the new service module can have new service functions or adopt new development technology.
The business system also includes two types of subsystems. A plurality of subsystems can be involved in the business processing process, and the subsystems are divided into a first type subsystem and a second type subsystem. The first sub-class system and the second sub-class system may be the original system and the new system, respectively.
And the user sends an access request to the service system to handle the corresponding service. Before accessing the service system, the identity of the user may be white-list checked to control the user's access to different subsystems. For users located in the white list, allowing access to the second subsystem; for users not on the white list, only the first subsystem is accessible. For example, the business processing process involves executing business logic a and business logic B, and after white list verification, the user is allowed to execute business logic a through the new system and allowed to execute business logic B through the original system. For another example, the service processing process involves executing service logic a and service logic B, and after white list verification, the user allows the service logic a to be executed by a new module in the old and new module for executing the service logic a, and allows the service logic B to be executed by an old module in the old and new module for executing the service logic B.
The primary database and the secondary database store the same white list information, and the primary database has a higher priority than the secondary database. Optionally, the user identity may be verified through the white list information of the primary database; when the user identity is successfully verified through the primary database, the user can be controlled to access a corresponding system according to a verification result; when the user identity authentication fails through the primary database, the user identity can be authenticated through the white list information of the secondary database, and the user is controlled to access the corresponding system according to the authentication result. Optionally, the user identity may also be verified through the white list information of the secondary database; and when the user identity authentication fails through the secondary database, the user identity is authenticated through the white list information of the primary database.
Because the new system or the new function module needs to be subjected to undifferentiated operation verification before the new system or the new function module operates, the white list can be divided by the user dimension to control different users to inquire the corresponding systems. In addition, in order to ensure the direct stability of the access of the users to the new system and the old system in the service system, a two-stage database is set as a storage medium for white list verification. When the primary database is abnormal, the secondary database verifies the white list of the user, so that the occurrence of access faults is reduced, and the high availability of the service system is ensured.
Fig. 3 schematically shows a flow chart of a traffic processing method according to an embodiment of the present disclosure.
As shown in fig. 3, the service processing method of this embodiment includes operations S310 to S340.
In operation S310, after obtaining the authorization of the user to obtain the identity information, the first white list information of the primary database is read in response to a service request initiated by the user, where the service request includes a user identifier of the user.
In the embodiment of the present disclosure, before obtaining the user identifier in the service request initiated by the user, the user needs to obtain the agreement or authorization of the user. For example, after receiving a service request initiated by a user, a prompt is sent to the user to inform the user that the identity information of the user needs to be acquired, and the identity information of the user is acquired again under the condition that the user agrees or authorizes. The identity information may be telephone information, face information, voice information, fingerprint information, account password, or identification card information. And after the identity information is acquired, converting the identity information into a user identifier so that the service request carries the user identifier. The user identification may be a user ID, for example, an internal unique ID set by the banking system for each user.
In operation S320, in case it is determined that reading the first white list information is abnormal, reading second white list information of the secondary database.
In the embodiment of the disclosure, the white list verification is performed on the user in advance through the white list information in the primary database. The abnormal reading of the first white list information comprises the phenomena of failure of the first white list information, failure in accessing the primary database, downtime of the primary database and the like.
In order to ensure that the business processing is not influenced by the abnormity of reading the first white list information, the second white list information can be read from the secondary database so as to finish the white list verification of the user. In order to ensure the consistency of the data, the first white list information in the primary database is the same as the second white list information in the secondary database.
In operation S330, the second white list information is parsed according to the user identifier, so as to obtain the authority information between the user and the plurality of service components, which is represented in a binary form.
In the embodiment of the present disclosure, the white list information includes authority information corresponding to a plurality of users one to one. In each authority information, authority relationships between each user and a plurality of service components are recorded. The business component may be a software functional module that executes business logic, or may be a functional system that executes business logic.
Data in binary form is composed of two kinds of values of "0" or "1" arranged consecutively. Thus, "yes" and "no" may be represented by "0" and "1", respectively, to indicate whether the user is in the white list of the business component. Each bit binary value represents a white list relationship between a user and a business component.
In operation S340, the service request is routed to a plurality of service components according to the authority information to process the service request.
In the embodiment of the present disclosure, since reading the first white list information from the primary database fails, the second white list information is read from the secondary database. And judging the authority of the user for transacting the service according to the unique user identifier in the second white list information. And judging the user right through white list verification, wherein the white list verification is to detect whether the user is a white list user. For example, when the user is a white list user, the user is allowed to access the new system to transact business through the new system; when the user is a non-white listed user, the user is only allowed to access the original system to transact business through the original system. For another example, when the user is a white list user, the user is allowed to transact services through a new function module in the system; when the user is a non-white-list user, the user is only allowed to transact business through the original function module in the system.
The service request is routed to a plurality of service components, including routing the service request to a new service component and to an old service component. When the user is a white list user, routing the service request to a new service component for handling the service; and when the user is a non-white list user, routing the service request to the old service component for handling the service.
In the embodiment of the present disclosure, the authority information corresponding to the user identifier may be authority information of a plurality of groups of new and old systems corresponding to one user, or authority information of a plurality of users corresponding to one group of new and old systems.
When the method is used for a specific user, the authority information of the user for each group of new and old systems can be quickly acquired according to the authority information of the user for the plurality of groups of new and old systems. When a new user is added, the authority information of the user for each group of new and old systems can be added in the database to update the white list information.
When the system is specific to a new system or an old system, the authority information of each user to the new system or the old system can be quickly acquired according to the authority information of a group of new systems and old systems to a plurality of users. When a new system is added, the authority information of each user can be added to the database for the new and old system so as to update the white list information.
In the disclosed embodiment, the primary database is a cache. The white list information can be quickly acquired through the white list cache, and the information acquisition rate is improved.
Illustratively, the primary database may be a Redis database. Redis is a log-type, high-performance key-value storage system written in ANSI C language, supporting network, based on memory and persistent, and capable of providing API of multiple languages. Compared with other databases, it supports storing more value types, including String, list, set, zset, hash, etc. The deployment modes of Redis include single node instance, master-slave mode (master/slave), sentinel mode (sentinel), and cluster mode (cluster).
The secondary database is a distributed database, the distributed database has the advantage of easy expansion, more white list information can be stored, and low-cost expansion can be realized when the white list data is continuously increased along with the system. In addition, the distributed database has stronger inclusion, so that the bottom of the first-level database is held, and the problem of abnormal verification of the white list is avoided.
Illustratively, the secondary database may be a Cassandra database. The Cassandra database is a distributed NoSQL database system, and the Cassandra database is also a mixed type non-relational database. The Cassandra database is a more functional, more relational database than other non-relational databases. The Cassandra database supports a very loose data structure, similar to json' bjsion format, so that the Cassandra database can store more complex data types. Cassandra is a distributed network service that is composed of a collection of database nodes. In the writing operation of Cassandra, data written in one node can be copied to other nodes; in the Cassandra read operation, the read request is also routed to a node for reading. For a Cassandra cluster, the expansion of database data can be realized by adding database nodes in the cluster. Meanwhile, the storage space of Cassandra is large, and more white list data can be stored.
In the embodiment of the disclosure, the primary database has higher priority than the secondary database, and the white list verification is preferentially performed through the primary database, and the white list verification is performed through the secondary database under the condition that the primary database is abnormal.
As an alternative, the Cassandra database is used as the primary database and the Redis database is used as the secondary database. And preferably, carrying out white list verification through a Cassandra database, and carrying out white list verification through a Redis database under the condition that the Cassandra database is abnormal.
The configuration rules of the primary database and the secondary database can be set according to the actual white list verification requirements. The two databases can be mutually used as alternatives for each other so as to realize the verification of the bottom.
By the embodiment of the disclosure, the problem that one database is abnormal and the system cannot access is avoided by designing the two-level databases to store the white list information, and the high availability of the service processing method is ensured.
Fig. 4 schematically shows a flow chart for processing a service request according to rights information according to an embodiment of the present disclosure.
Operation S340, according to the authority information, routes the service request to a plurality of service components to process the service request, including operation S410 to operation S430.
In operation S410, at least one target service component corresponding to at least one service type among the plurality of service components is obtained.
In the embodiment of the present disclosure, the service request includes at least one service type that needs to be executed, for example, the service request includes an account login service and a transaction flow query service. Generally, business logic of one business type may be executed by one business component or may be executed by a plurality of business components.
The white list verification may involve multiple functional systems or multiple functional modules, with each functional system or functional module having a different white list condition for the user. The authority relationship between the plurality of service components and the user included in the authority information needs to obtain a target service component related to the service request from the plurality of service components, so as to obtain the corresponding authority relationship, and avoid obtaining redundant information.
In operation S420, at least one access identifier corresponding to at least one target service component in the rights information is determined.
In the embodiment of the present disclosure, the access identifier is used to indicate whether the user is located in the white list of the service component. The access flags are binary values "0" and "1".
As an alternative, the access identifier may be a number, a letter, or any character that can be read and written by the database.
In operation S430, the service request is processed by the at least one target service component according to the at least one access identifier.
In the embodiment of the disclosure, the service request is routed to the corresponding service component for service processing according to at least one access identifier in the authority information of the user.
Illustratively, in a credit card issuing system, the service type of the service request relates to an authorization module and a media account management module. If the access identifier corresponding to the authorization module in the authority information of the user indicates that the user is in the white list of the authorization module, the service request is routed to the new system, and the authorization logic in the service request is executed through the authorization module of the new system; and if the access identifier corresponding to the media account management in the authority information of the user indicates that the user is not in the white list of the media account management, routing the service request to the old system, and executing the media account management logic in the service request through the media account management of the old system.
In this embodiment of the present disclosure, in operation S340, according to the authority information, the service request is routed to a plurality of service components to process the service request, and on the basis of operation S410 to operation S430, the method further includes: acquiring a flow control identifier in the authority information; and intercepting the service request under the condition that the flow control identification is determined to indicate that the user is subjected to flow control. The flow control is identified as binary values "0" and "1". As an alternative embodiment, the flow control identifier may also be a number, a letter, or any character that can be read and written by the database.
When the user is subjected to flow control, for example, some users need to be adjusted from non-white list users to white list users for data migration, and in order to avoid data inconsistency between the primary database and the secondary database caused by data migration, a service request needs to be intercepted, and service processing is rejected.
As an alternative embodiment, the operation of obtaining the flow control identifier and then intercepting the service request may be performed before operation S410 to operation S430. If it is predetermined that the user is being subjected to the flow control, operations S410 to S430 may not be performed to reduce redundant operations and increase the service processing speed.
Since the user is subjected to less flow control, the operation of acquiring the flow control identifier and then intercepting the service request may be performed after operation S410 to operation S430. Operation S410 to operation S430 are performed first, and in the process of routing the service request to the corresponding system, the flow control identifier is obtained, and under the condition that the user determines that the user is not subjected to flow control, the service processing is directly performed, so that the service processing speed is increased.
Fig. 5 schematically shows a flow chart of a traffic processing method according to another embodiment of the present disclosure.
As shown in fig. 5, the service processing method of this embodiment further includes operation S350, based on operations S310 to S340, that is, adding white list information to the primary database and the secondary database.
With the increasing perfection of business systems, the range of white list users in the business systems is gradually expanded, and particularly, the white list users involved in financial systems have large quantity, namely millions, tens of millions and even hundreds of millions. Therefore, the white list can be expanded by taking the user and the functional module as dimensions, so that the system development and operation and maintenance difficulty is reduced, and the time and labor cost are saved.
In operation S350, white list information is added to the primary database and the secondary database, including operation S510 to operation S540.
In operation S510, new information and a user identifier corresponding to the new information are acquired.
In operation S520, the new information is converted into binary data, and the binary data includes at least one bit of binary data representing the flow control identifier and the access identifier of the at least one service component, respectively.
In operation S530, the binary data is converted into decimal data, the decimal data being authority information.
In operation S540, white list information is generated according to the decimal data and the user identification.
In the embodiment of the present disclosure, the new information is white list information that needs to be added in the database.
Illustratively, the newly added information is white list information of three functional modules, namely an authorization module, a media account management module and a comprehensive query module, of a user in a credit card issuing system. Wherein the user is in the white list of the authorization module and the media account management module, and the user is not in the white list of the comprehensive query module. And simultaneously acquiring a user ID corresponding to the newly added information as a user identifier. Converting the newly added information into binary data: 11010; the first bits of the binary data are access identifiers of the service components, and are used for indicating whether the access identifiers are in a white list of the corresponding service components, wherein 1 represents that the access identifiers are in the white list, and 0 represents that the access identifiers are not in the white list; and the last two bits of the key value are always kept as the expandable bit and the flow control identification of the white list respectively. The 1 of the flow control identifier represents that the user is subjected to flow control, and the 0 represents that the user is not subjected to flow control; the penultimate bit of the key value represents an expandable bit of the white list, which is still defaulted to 1, when the authority relationship between the user and the new service component needs to be added in the authority information, the expandable bit can be modified, and the azimuth mark of the expandable bit and the azimuth mark of the service component can be subjected to AND operation when the authority information in the binary system is identified; binary data "11010" is converted into decimal data "26", and the decimal data "26" is recorded as the authority information of the user. Taking decimal data '26' as value and user ID as key to generate white list information; and adding the white list information pair into the primary database and the secondary database.
The white list information for the primary and secondary databases may be in the same form or may be in different forms. But the white list information values of the primary database and the secondary database are the same.
For example, the key value of the white list information in the Redis database is WHITELIST _ customer number, and the value is 26. In the Cassandra database, the stored data is relational data, and white list information can be represented by three parameters, namely ID, TYPE and target. The ID of the user in Cassandra is a client number (user ID), TYPE is 99 (the data of the TYPE are all white lists), and value is consistent with the value in Redis and is stored as 26.
In the case that the white list information is stored in the primary database and the secondary database in the form of key value pairs or lists, operation S340 routes the service request to a plurality of service components according to the authority information to process the service request, which may include first obtaining a user identifier and a service type in the service request; reading the decimal value corresponding to the key according to the user identification (user ID), and converting the decimal value into binary data; according to the service type and the binary data, identifying the flow control identification of the binary data and the access identification of the service component corresponding to each service type; and routing the service request to a corresponding service component for service processing according to the flow control identifier and the access identifier.
According to the embodiment of the disclosure, the white list information is represented in the form of key value pairs or lists, the authority relationship between the user and the service component is represented by the value which can be converted into a binary system, and when a new service component or system is subsequently added or part of the service component or system is deleted, only one bit of binary data needs to be added or deleted on the binary system forms of the original key value pairs and the list of the primary database and the secondary database. The original key value pair is non-invasive through the extension mode. In addition, when a white list user needs to be added or deleted in the database, only the corresponding key value pair or list data needs to be added or deleted for the user in the primary database and the secondary database at the same time. The white list information is represented in the form of key value pairs or lists, so that good expandability is realized, the key value pairs or list data can be modified in the primary database and the secondary database at the same time, and the consistency of a two-stage database mechanism is realized. In addition, the white list information of a plurality of systems or a plurality of functional modules is represented in a binary form, meanwhile, in order to avoid the continuous increase of service components, the length of binary data is continuously increased, the binary data is converted into decimal data for storage, the amount of stored data can be reduced while a large amount of data information is covered, a data storage method is simplified, the white list information is conveniently expanded, and the development and operation and maintenance cost is effectively reduced.
In this embodiment of the present disclosure, in operation S350, adding white list information to the primary database and the secondary database further includes: calling a first interface of the primary database and a second interface of the secondary database, wherein the first interface and the second interface are the same; and adding the white list information into the primary database and the secondary database through the first interface and the second interface respectively.
In order to maintain consistency and expandability, the first white list of the primary database and the second white list of the secondary database realize the same interface. For example, single add white list, batch add white list, single delete white list, batch delete white list, single add flow control, batch add flow control, query white list based on user ID, and query white list based on user ID list.
The same interface is designed for the first white list of the primary database and the second white list of the secondary database, so that the system has a uniform style, the debugging and the verification of the system in the later period are facilitated, and meanwhile, the service processing method disclosed by the invention has good expandability. And if the primary database and the secondary database are required to support more levels of white lists subsequently, only corresponding interfaces are required to be respectively added to the first white list of the primary database and the second white list of the secondary database.
In operation S350, adding the white list information to the primary database and the secondary database may be performed before operation S310 to operation S340, or may be performed after operation S310 to operation S340.
When the white list information is added to the primary database and the secondary database in operation S350, the white list information may be stored in the primary database and the secondary database through the number-brushing script before the operation of the service processing system is performed before operation S310 to operation S340. And if the white list information needs to be dynamically added subsequently, a unified interface realized by the primary database and the secondary database can be called to push data, and the white list information can also be written into the primary database and the secondary database through the number brushing script. The number brushing program can be realized through Java language, and then the long connection mode is adopted to simultaneously connect the server of the primary database and the server of the secondary database, and the white list information is respectively stored in the primary database and the secondary database. The number brushing program can also be compiled and packaged into a distributable and executable jar package for script calling. The original information of the white list data can be stored in a file or a database, and the original white list information can be obtained from the file or the database according to different parameters transmitted in the script.
In the embodiment of the present disclosure, the service processing method of the embodiment further includes: and modifying the flow control identification of the binary data under the condition that the white list information is determined to be successfully added to the first database and the second database respectively, wherein the modified flow control identification indicates that the user is relieved from flow control.
And in the process of modifying the authority information of the user, the flow control identifiers in the authority information of the primary database and the secondary database are used for indicating a system to intercept the service request. After the permission information is modified, the flow control identifications in the permission information of the primary database and the secondary database can be uniformly modified. The modification method may be through the same modification interface of the first white list of the primary database and the second white list of the secondary database. Because the authority information can be read in a binary form, the '0' or '1' in the binary data can be directly modified without editing or modifying redundant information, and the quick and simple modification of the white list information is realized.
According to the service processing method provided by the disclosure, the two databases are designed for synchronously storing the white list information, so that the problem that one database is abnormal and the system cannot access the database is avoided, and the high availability of the service processing method is ensured. In addition, the two databases have good consistency and expandability by setting the key value pairs and the uniform interfaces with the same value in the two databases, and development and operation and maintenance costs are effectively reduced.
Based on the service processing method, the disclosure also provides a service processing device. The apparatus will be described in detail below with reference to fig. 6.
Fig. 6 schematically shows a block diagram of a service processing apparatus according to an embodiment of the present disclosure.
As shown in fig. 6, the service processing apparatus 600 of this embodiment includes a reading module 610, a determining module 620, a parsing module 630, and a routing module 640.
The reading module 610 is configured to respond to a service request initiated by a user after obtaining authorization for obtaining identity information of the user, where the service request includes a user identifier of the user, and the first white list information of the primary database. In an embodiment, the reading module 610 may be configured to perform the operation S310 described above, which is not described herein again.
The determining module 620 is configured to read the second white list information of the secondary database when it is determined that reading the first white list information is abnormal. In an embodiment, the determining module 620 may be configured to perform the operation S320 described above, which is not described herein again.
The parsing module 630 is configured to parse the second white list information according to the user identifier to obtain authority information between the user and the plurality of service components, which is represented in a binary form. In an embodiment, the parsing module 630 may be configured to perform the operation S330 described above, which is not described herein again.
The routing module 640 is configured to route the service request to a plurality of service components according to the permission information, so as to process the service request. In an embodiment, the routing module 640 may be configured to perform the operation S340 described above, which is not described herein again.
According to an embodiment of the present disclosure, the service request includes at least one service type. A routing module 640 comprising: the device comprises a first acquisition unit, a determination unit and a processing unit. The system comprises a first acquisition unit, a second acquisition unit and a processing unit, wherein the first acquisition unit is used for acquiring at least one target service component corresponding to at least one service type in a plurality of service components; the determining unit is used for determining at least one access identifier corresponding to at least one target service component in the authority information; and the processing unit is used for processing the service request through at least one target service component according to the at least one access identifier.
According to an embodiment of the present disclosure, the routing module 640 further includes a second obtaining unit and an intercepting unit. The second acquisition unit is used for acquiring the flow control identifier in the authority information; and the intercepting unit is used for intercepting the service request under the condition that the flow control identification is determined to indicate that the user is subjected to flow control.
According to the embodiment of the present disclosure, the service processing apparatus 600 further includes an adding module. The adding module comprises a third acquiring unit, a first converting unit, a second converting unit and a generating unit. A third obtaining unit, configured to obtain new information and a user identifier corresponding to the new information; the first conversion unit is used for converting the newly added information into binary data, and at least one bit of binary data included in the binary data respectively represents the flow control identifier and the access identifier of at least one service component; a second conversion unit for converting the binary data into decimal data, the decimal data being authority information; and a generating unit for generating white list information according to the decimal data and the user identification.
According to the embodiment of the disclosure, the adding module further comprises a calling unit and an adding unit. The calling unit is used for calling a first interface of the primary database and a second interface of the secondary database, and the first interface and the second interface are the same; and the adding unit is used for respectively adding the white list information into the primary database and the secondary database through the first interface and the second interface.
According to the embodiment of the present disclosure, the service processing apparatus further includes a modification module, configured to modify the flow control identifier in the binary data when determining that the white list information is successfully added to the primary database and the secondary database, respectively, and the modified flow control identifier indicates that the user has been released from flow control.
According to an embodiment of the present disclosure, any plurality of the reading module 610, the determining module 620, the parsing module 630 and the routing module 640 may be combined into one module to be implemented, or any one of the modules may be split into a plurality of modules. Alternatively, at least part of the functionality of one or more of these modules may be combined with at least part of the functionality of the other modules and implemented in one module. According to an embodiment of the present disclosure, at least one of the reading module 610, the determining module 620, the parsing module 630 and the routing module 640 may be implemented at least partially as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in hardware or firmware in any other reasonable manner of integrating or packaging a circuit, or in any one of three implementations of software, hardware and firmware, or in any suitable combination of any of them. Alternatively, at least one of the reading module 610, the determining module 620, the parsing module 630 and the routing module 640 may be at least partially implemented as a computer program module, which when executed may perform a corresponding function.
Fig. 7 schematically shows a block diagram of an electronic device adapted to implement a traffic processing method according to an embodiment of the present disclosure.
As shown in fig. 7, an electronic device 700 according to an embodiment of the present disclosure includes a processor 701, which can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)702 or a program loaded from a storage section 708 into a Random Access Memory (RAM) 703. The processor 701 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or associated chipset, and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), among others. The processor 701 may also include on-board memory for caching purposes. The processor 701 may comprise a single processing unit or a plurality of processing units for performing the different actions of the method flows according to embodiments of the present disclosure.
In the RAM 703, various programs and data necessary for the operation of the electronic apparatus 700 are stored. The processor 701, the ROM 702, and the RAM 703 are connected to each other by a bus 704. The processor 701 performs various operations of the method flows according to the embodiments of the present disclosure by executing programs in the ROM 702 and/or the RAM 703. Note that the programs may also be stored in one or more memories other than the ROM 702 and RAM 703. The processor 701 may also perform various operations of method flows according to embodiments of the present disclosure by executing programs stored in the one or more memories.
Electronic device 700 may also include input/output (I/O) interface 705, which input/output (I/O) interface 705 is also connected to bus 704, according to an embodiment of the present disclosure. The electronic device 700 may also include one or more of the following components connected to the I/O interface 705: an input portion 706 including a keyboard, a mouse, and the like; an output section 707 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage section 708 including a hard disk and the like; and a communication section 709 including a network interface card such as a LAN card, a modem, or the like. The communication section 709 performs communication processing via a network such as the internet. A drive 710 is also connected to the I/O interface 705 as needed. A removable medium 711 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 710 as necessary, so that a computer program read out therefrom is mounted into the storage section 708 as necessary.
The present disclosure also provides a computer-readable storage medium, which may be contained in the apparatus/device/system described in the above embodiments; or may exist separately and not be assembled into the device/apparatus/system. The computer-readable storage medium carries one or more programs which, when executed, implement the method according to an embodiment of the disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, a computer-readable storage medium may include the ROM 702 and/or the RAM 703 and/or one or more memories other than the ROM 702 and the RAM 703 described above.
Embodiments of the present disclosure also include a computer program product comprising a computer program containing program code for performing the method illustrated in the flow chart. When the computer program product runs in a computer system, the program code is used for causing the computer system to realize the business processing method provided by the embodiment of the disclosure.
The computer program performs the above-described functions defined in the system/apparatus of the embodiments of the present disclosure when executed by the processor 701. The systems, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
In one embodiment, the computer program may be hosted on a tangible storage medium such as an optical storage device, a magnetic storage device, and the like. In another embodiment, the computer program may also be transmitted in the form of a signal on a network medium, distributed, downloaded and installed via the communication section 709, and/or installed from the removable medium 711. The computer program containing program code may be transmitted using any suitable network medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
In such an embodiment, the computer program can be downloaded and installed from a network through the communication section 709, and/or installed from the removable medium 711. The computer program, when executed by the processor 701, performs the above-described functions defined in the system of the embodiment of the present disclosure. The systems, devices, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
In accordance with embodiments of the present disclosure, program code for executing computer programs provided by embodiments of the present disclosure may be written in any combination of one or more programming languages, and in particular, these computer programs may be implemented using high level procedural and/or object oriented programming languages, and/or assembly/machine languages. The programming language includes, but is not limited to, programming languages such as Java, C + +, python, the "C" language, or the like. The program code may execute entirely on the user computing device, partly on the user device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that various combinations and/or combinations of features recited in the various embodiments and/or claims of the present disclosure can be made, even if such combinations or combinations are not expressly recited in the present disclosure. In particular, various combinations and/or combinations of the features recited in the various embodiments and/or claims of the present disclosure may be made without departing from the spirit or teaching of the present disclosure. All such combinations and/or associations are within the scope of the present disclosure.
The embodiments of the present disclosure are described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described separately above, this does not mean that the measures in the embodiments cannot be used advantageously in combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be devised by those skilled in the art without departing from the scope of the present disclosure, and such alternatives and modifications are intended to be within the scope of the present disclosure.

Claims (11)

1. A service processing method comprises the following steps:
after obtaining the authorization of a user for obtaining identity information, responding to a service request initiated by the user, and reading first white list information of a primary database, wherein the service request comprises a user identifier of the user;
reading second white list information of a secondary database under the condition that the reading of the first white list information is determined to be abnormal;
analyzing the second white list information according to the user identification to obtain authority information between the user and a plurality of service components represented in a binary form; and
and routing the service request to the plurality of service components according to the authority information so as to process the service request.
2. The traffic processing method according to claim 1, wherein the traffic request comprises at least one traffic type; the routing the service request to the plurality of service components according to the authority information to process the service request comprises:
acquiring at least one target service component corresponding to at least one service type in the plurality of service components;
determining at least one access identifier corresponding to the at least one target service component in the authority information; and
and processing the service request through the at least one target service assembly according to the at least one access identifier.
3. The service processing method according to claim 1 or 2, wherein said routing the service request to the plurality of service components to process the service request according to the authority information further comprises:
acquiring a flow control identifier in the authority information; and
and intercepting the service request under the condition that the flow control identification indicates that the user is subjected to flow control.
4. The traffic processing method according to claim 1, wherein the method further comprises: adding white list information in the primary database and the secondary database;
the adding white list information in the primary database and the secondary database comprises:
acquiring newly added information and a user identifier corresponding to the newly added information;
converting the newly added information into binary data, wherein the binary data comprises at least one bit of binary values respectively representing a flow control identifier and an access identifier of at least one service component;
converting the binary data into decimal data, wherein the decimal data is authority information; and
and generating white list information according to the decimal data and the user identification.
5. The traffic processing method according to claim 4, wherein said adding white list information in said primary database and said secondary database further comprises:
calling a first interface of the primary database and a second interface of the secondary database, wherein the first interface and the second interface are the same; and
and adding the white list information to the primary database and the secondary database through the first interface and the second interface respectively.
6. The traffic processing method according to claim 4, wherein the method comprises:
and modifying the flow control identification in the binary data under the condition that the white list information is determined to be successfully added to the primary database and the secondary database respectively, wherein the modified flow control identification indicates that the user is released from flow control.
7. The traffic processing method according to claim 1, wherein the primary database is a cache and the secondary database is a distributed database.
8. A traffic processing apparatus, comprising:
the reading module is used for responding to a service request initiated by a user after obtaining the authorization of obtaining the identity information by the user, and the first white list information of the primary database, wherein the service request comprises the user identification of the user;
the determining module is used for reading second white list information of the secondary database under the condition that the reading of the first white list information is determined to be abnormal;
the analysis module is used for analyzing the second white list information according to the user identification to obtain authority information between the user and the plurality of service components expressed in a binary system form; and
and the routing module is used for routing the service request to the plurality of service components according to the authority information so as to process the service request.
9. An electronic device, comprising:
one or more processors;
a storage device for storing one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method of any of claims 1-7.
10. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to perform the method of any one of claims 1 to 7.
11. A computer program product comprising a computer program which, when executed by a processor, implements a method according to any one of claims 1 to 7.
CN202210189665.6A 2022-02-28 2022-02-28 Service processing method, device, equipment, medium and program product Pending CN114528592A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210189665.6A CN114528592A (en) 2022-02-28 2022-02-28 Service processing method, device, equipment, medium and program product

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210189665.6A CN114528592A (en) 2022-02-28 2022-02-28 Service processing method, device, equipment, medium and program product

Publications (1)

Publication Number Publication Date
CN114528592A true CN114528592A (en) 2022-05-24

Family

ID=81625189

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210189665.6A Pending CN114528592A (en) 2022-02-28 2022-02-28 Service processing method, device, equipment, medium and program product

Country Status (1)

Country Link
CN (1) CN114528592A (en)

Similar Documents

Publication Publication Date Title
US11132278B2 (en) Application programming interface security validation for system integration testing
US9081978B1 (en) Storing tokenized information in untrusted environments
WO2021197432A1 (en) Routing method and apparatus for database cluster
US10614208B1 (en) Management of login information affected by a data breach
US10586025B2 (en) Managing the display of hidden proprietary software code to authorized licensed users
US20200250587A1 (en) Framework for multi-tenant data science experiments at-scale
CN115587575A (en) Data table creation method, target data query method, device and equipment
CN114254389A (en) Message desensitization method, device, electronic equipment and medium
CN114281803A (en) Data migration method, device, equipment, medium and program product
US20220385596A1 (en) Protecting integration between resources of different services using service-generated dependency tags
CN115033574A (en) Information generation method, information generation device, electronic device, and storage medium
CN114528592A (en) Service processing method, device, equipment, medium and program product
CN114237821A (en) Self-discovery method and device for Kubernetes container cluster, electronic device and storage medium
CN116401319B (en) Data synchronization method and device, electronic equipment and computer readable storage medium
CN114640585B (en) Resource updating method and device, electronic equipment and storage medium
CN111914065B (en) Short message content verification method, device, computer system and computer readable medium
US20230153457A1 (en) Privacy data management in distributed computing systems
CN116760640B (en) Access control method, device, equipment and storage medium
US20230153450A1 (en) Privacy data management in distributed computing systems
CN113760835A (en) Log management method, middlebox system, electronic device and storage medium
CN113760893A (en) Instruction control method, apparatus, computer system, and computer-readable storage medium
CN116028907A (en) Application management method, system, equipment and storage medium
CN114356176A (en) Data acquisition method, data acquisition system, data acquisition equipment and data acquisition medium
CN115421779A (en) Object storage method and device, electronic equipment and computer readable storage medium
CN113568838A (en) Test data generation method, device, equipment, storage medium and program product

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination